An excellent article on CSO Online written by Andrew Jaquith for on where CISOs should focus their efforts at securing data.

Instead of trying fruitlessly to be the enterprise's all-knowing content guardian, censor authority, and compliance guru, the CISO devolves responsibility of these activities to the business. IT security becomes a clearinghouse for data security tools that business groups can use as they see fit.

As well as:

Responsibility for classifying information and restricting its flow is ultimately a business challenge, not a technical challenge. How documents, spreadsheets, and emails are used depends on workgroup and business unit preferences. So it is with data security.

That means that inside counsel owns email eDiscovery and retention, product engineering owns CAD drawings, and finance owns accounts and earnings projections. These groups know who should and should not have access and what should happen if their assets are misused. IT security's primary role should be to help source, design, and install the technical controls in place that will enable them to express and enforce their compartmentalization needs—not to be the gatekeeper.

Those who still think they can use social networking sites and be anonymous should read this article about research done at the University of Texas Austin. Arvind Narayanan, one of the researchers said: "The more of a person's network you can map out, the easier it gets to de-anonymize someone in the future."

Mozilla, maker of the Firefox browser will be releasing an update early next week for a newly discovered exploit. This exploit "provides an opening through which attackers can enter Firefox source code and modify it. If a Firefox user simply views a maliciously coded XML file on a website, in a style of attack known as a drive-by download, the exploit installs unwelcome software onto the victim's machine." [emphasis mine]

The high-priority update will fix the flaw which is reported to work on multiple platforms (Windows, Mac, Linux).

Security professionals have long warned about the abundance of information that people are willing to share about themselves and others, including relatives, friends, and even perfect strangers. This data is useful to cyber criminals seeking to guess your password, reset your account, or fool you into clicking, viewing, or downloading malicious content.

The funny thing is that security professionals are people too, and they also use social networking sites. You can follow many of them on Twitter for example; the SecurityTwits database a good place to start. Just don't expect to find much personal data or easy to guess passwords.

David Omand, former director of the UK's Government Communications Headquarters, released a study about the need for government-level digital surveillance. Among the more troubling of his statements is his view that "finding out other people's secrets is going to involve breaking everyday moral rules."

Any business, of any size, in any industry, in any location, is a possible target for PII [Personally Identifiable Information] theft and cybercrime if they possess any type of employee, customer or other consumer PII. -- Rebecca Herold, aka The Privacy Professor, Principal of Rebecca Herold & Associates LLC

While security researchers have been looking into the possibility of using the BIOS to create a permanently infected machine for some years, the Core Security team is reported to have devised a technique that would work on "virtually all types of systems."

Because the infection lives in the computer's BIOS, or basic input/output system, it persists even after the operating system is reinstalled or a computer's hard drive is replaced.

Can you have data security without physical security? I hope you know the answer for your particular facility in light of this research project from the University of California San Diego called "Sneakey." Sneakey is a software which can create a physical duplicate of a key from a digital image. In an experiment conducted from 195ft away, the researchers were able to take a digital photo (zoom lens) of a key chain and match all 5 bitting codes (the indentations on the keys), enough to be able to create a duplicate key.

Tax documents are a treasure-trove of information, containing name, date-of-birth, social security number, current address. I find the lack of concern for one's most sensitive information most disappointing (note: small sample size, only 1,091 participants surveyed in Feb 2009):

The survey also showed that 1/3 of the respondents who rely on the services of a tax preparer were not at all concerned about the possibility of becoming victims of identity theft when choosing their preparer. An additional 23 percent were somewhat concerned and only 18 percent were very concerned.

Small and medium sized businesses are often at a loss when it comes to the threats they face and the mitigation strategies they should pursue. While written by a security vendor, GFI, the nine-page document is a worthwhile read for any SMB.

The key to making corporate systems safer does not only require investment in software or hardware security products; very often more knowledge, awareness and a better understanding of existing security policies would be enough to reduce the risk of malware infection, data leakage and fraud.

The security firm Finjan has released their latest Cybercrime Intelligence Report. Cybercriminals used affiliate networks to boost their malware and rogueware distribution, using Search Engine Optimization (SEO) techniques to drive additional traffic, and thus revenue. In this case, they made $172,800 in 16 days.

Investigating a number of bomb threat hoaxes targeting several college campuses (including Boston College, Purdue University, Clemson University, University of North Carolina, and Florida State), police found that the suspect then used internet-accessible webcams at each campus to monitor the response from law enforcement at each campus.

Meanwhile, the real victims - people who suffer from identity theft, lost time, or credit fraud - get a nice little letter telling them 'We made a mistake and it's your problem to clean it up. Have a nice day.' To me, the banks and payment companies who are suing each other and finger-pointing are a side-show; they're in business and are simply incurring an unexpected cost for mistakes made. Let's not overlook the victims: real human beings. -- Marcus Ranum, CSO Tenable Security.

For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you.

The quote is from Pwn2Own hacker Charlie Miller, interviewed by ZDNet's Ryan Naraine. Charlie was the first to break into a Safari browser running on a (patched) MacBook.

Leave it to the folks at SRI International to publish one of the best writeup on the workings on the worm and its impact on honeynets where it takes over as the dominant infection. They also just recently updated their Conficker worm analysis (see direct link to addendum below).

Why Conficker has been able to proliferate so widely may be an interesting testament to the stubbornness of some PC users to avoid staying current with the latest Microsoft security patches. Some reports, such as the case of the Conficker outbreak within Sheffield Hospital's operating ward, suggest that even security-conscious environments may elect to forgo automated software patching, choosing to trade off vulnerability exposure for some perceived notion of platform stability.

This news article reports on a recent CanSecWest presentation by researchers from a company called InversePath into two different methods of sniffing keyboard activity from 50ft away, one using a laser (w/ line of sight to a laptop), the other from signals emanated from a PS/2 keyboard plugged into a grounded outlet (via PC apparently).

If you've ever been curious as to what information went into a credit card number, this is a good read. It provides enough details to be able to create a simple program to validate credit card numbers.

According to this article from The Register, "a reliably exploitable IE vulnerability now fetches $100,000 on the black market." While the dollar figure itself may be debatable, one fact isn't: most hackers are in it for the money, the rest are security researchers. At the Pwn2Own 2009 competition, "Nils", a student from the University of Oldenburg in Germany, was able to compromise Safari, IE8, and Firefox.

For those who still believe that their favorite browser (in this case Safari, but ultimately it could be any browser) is still safe in a sea of network attacks, think again. At the 2009 Pwn2Own competition, Charlie Miller was able to compromise a Safari browser in a matter of seconds. Firefox and IE8 were also no match for a hacker called "Nils" (who also took 2nd place against Safari).

For the more paranoid among you, now would be a good time to look at segregating your sensitive data off of your regular machine, or to start running browsers in virtualized environments (either full VMs or application virtualization).

If you're in the software development or security, one of the questions you should be asking is which cryptographic algorithms are still safe to use. Why? One reason is because with every passing year, CPUs get more speed and are now multi-core, memory gets bigger, networks get more bandwidth. The other is because researchers find flaws and vulnerabilities - some are due to implementation errors, but others stem from the algorithms themselves.

So, if you're wondering if you should still be using MD5 hashes or 256-bit RSA encryption, go read this document for security's sake.

Privacy protection is a major issue and priority in most European countries. At the same time, however, the need for monitoring user Internet activity for discovering illegal activity, identifying employee misconduct, and so on is growing. In the process of achieving equilibrium between privacy and monitoring, some compromises concerning individuals' right to and expectation of privacy will certainly have to be made (as is occurring in Finland), something that will not sit well with most Europeans. -- Dr. Eugene Schultz, CTO of Emagined Security and member SANS NewsBites editorial board

Jon Leibowitz, FTC Chairman, warned companies that they must "protect their back doors from hackers, malware, spyware and other high-tech intrusion mechanisms and protect their front door by properly storing and disposing of consumers' data." He indicated that FTC will not be shy about knocking on a company's door to evaluate their practices.

Speaking at the "Securing Personal Data in the Global Economy" conference on March 16, 2009, he also said: "Without adequate data security there really is no privacy."

It has the hallmarks of a real story, usually starting with "At least 12 people have been killed and more than 40 wounded in a bomb blast near market in..." However, don't be fooled by this message claiming to be from the Reuters news agency (it is not) which seems to be based on a story similar to this BBC news report (dated March 6, 2009).

The fake news report contains a link to a web site which then customizes the story based on your IP address and serves your machine with the Mal/WaledPak-E (aka Packed.Win32.Krap.i) malware.

An apparent break-in at an office in the College of Arts and Sciences at the University of Toledo, Ohio yielded more than just a computer: university officials will also be notifying 24,000 students about FERPA data exposure (student ID # and grades). More troubling is that the stolen computer also had data on 450 faculty, including names, birth dates and SSNs.

As is unfortunately too common across most colleges/universities,

The personal data was saved on the computer itself and not on the university's network, which officials are encouraging staff to do.

A university official claimed that the "computer was password protected and many of the files were specifically encrypted or individually password protected." However, as security professionals caution about, using "password-protected" documents (i.e. MS Word, MS Excel, PDFs) is not considered strong protection as this "protection" can easily be cracked or bypassed.

Twitter is to infosec professionals today what the ARPANET was to university researchers in the early 80s - a communication revolution connecting the best minds on the planet. -- Dr. Christophe Veltsos, Dr. InfoSec™

Managing Information Technology (IT) doesn't have to be boring. This blog post from Kevin Behr manages to connect IT management (focus on automation) and Piggly Wiggly, a chain of grocery stores mainly in the Southern US.

Anyone who's had the opportunity to hear, read, or talk to Michael Santarcangelo, founder of Security Catalyst, knows him for his focus on people side of information security. In this interview with CSO Online, Michael has some tips for security professionals to help them get executives and boards to understand and approve spending decisions in these tough economic times.

This is as controversial as it gets. As part of a news media show called "Click", the British Broadcasting Corporation (BBC), ran a story about cyber security in which it controlled a botnet of at least 22,000 computers. It used the botnet to send spam (to their own account) and to perform a Distributed Denial of Service attack (DDoS) with permission of the site owner. Once done with their experiment, the BBC "warned users that their PCs are infected, and advised them on how to make their systems more secure" by modifying their desktop background.

There are several actions for which the BBC could find themselves in hot water:

They may have violated the UK Computer Misuse Act by sending spam.

They may have violated laws by conducting a DDoS attack.

They may have violated laws by changing content on compromised machines (i.e. zombie machines part of the botnet), in this case modifying the desktop background image.

Writing about yet another report of a lost memory stick containing unencrypted sensitive data, Marcus Ranum had this to say:

Let people copy critical data around, and critical data will leak; it's that simple. Encryption is not a panacea, because of the prevalence of keylogging trojans and the fact that people will have to have the data unencrypted, at some point, in order to use it. The answer to data leakage is data control. There is no "plan B". -- Marcus Ranum, member SANS NewsBites editorial board

For those who still believe that physical security is not a big issue with respect to data security, this illustrated tutorial can help you see the light of just how easy it can be to change the password for the root account on a Linux machine.

Assumptions are that the machine is not encrypted and can be rebooted (usually trivial to reboot a machine if you are sitting in front of it, i.e. physical access).

To be of value, the method of measurement employed should be reproducible, that is, capable of attaining the same result when performed independently by different competent evaluators. The result should also be repeatable, such that a second assessment by the same evaluators produces the same result. Relevance and timeliness are also implicit considerations, since it is of little benefit to have measures that are not meaningful or whose latency exceeds their usefulness.

Note: only an experienced Information Security Professional can make an actual SPPD diagnosis.

The Security Patch Procrastination Disorder is characterized by a general complacency towards the deployment of security patches. In its most extreme form, it is often accompanied by delusions that patching is simply not required for secure IT operations. When this behavior continues during widespread reports of critical patches, it is referred to as Acute Security Patch Procrastination Disorder or ASPPD for short.

SPPD often starts as a benign case of FSOS, or False Sense Of Security, often resulting from unprotected and unmitigated contact with vendor-based security marketers. If left untreated, FSOF eventually erupts into full-blown SPPD (see list of symptoms below). If diagnosed early by an Information Security Professional, SPPD can be treated with simple, but regularly scheduled applications of COTS patches, also known as Commercial-Off-The-Shelf patches.

SPPD diagnosis requires the presence of at least two of the following symptoms, observed for at least one month:

Disorganized patching behavior (infrequent patching habits and other incoherent statements like "we apply critical security patches when we see a need")

Delusions about the state of software or hardware security (i.e. "what's the worst a software bug can do?")

If after appropriate information security evaluation and reassurance the condition persists, the entity is likely to suffer debilitating cases of JBH, or Just Been Hacked, often accompanied with MSG$, Must Spend Gazillion Dollars.

Speaking about the need to educate users about information security and phishing attacks, Rohyt Belani, CEO of The Intrepidus Group, said:

user education should be approached like a marketing exercise -- if users are nodding off, it will never be effective.

The information security community needs to get more creative in educating users about the dangers facing them in this web 2.0 world. How about a series of books and cartoons portraying the average users and the mean hackers?

Who's better at thwarting phishing attacks, men or women? According to a recent study, neither. Both men and women are equally susceptible to fall for a phishing attack. 23% of people will fall for (i.e. believe in) a spear phishing (i.e. targeted phishing) attack. Attacks written with an authoritative tone are 40% more successful than those offering a reward (bribe).

The SCMagazine article has several interesting points from Joshua Perrymon, CEO of PacketFocus: “We see around 70 percent response with directed attacks.” Perrymon also cautioned that cultural differences will impact the phisher's success: in the US, China, and Japan, authority is seldom challenged, a trait that the phishers can use to their benefit.

I've had the good fortune of following Didier Stevens on Twitter for a few months and his research into various software flaws is nothing short of amazing. Didier has managed to demonstrate without a doubt that the latest Adobe PDF Zero-day flaw can trigger an attack even without user intervention. The culprit is one of the many things that your machine does in the background, in this case, the Windows Indexing Service (WIS). In order to index the contents of a PDF file, WIS needs to process it. Yet, the code responsible for processing the PDF is itself vulnerable to this latest attack, which leads to the compromise of a process running with local system privileges.

Much like a business has to innovate to survive, malware authors have shown remarkable imagination and determination in growing and securing compromised machines. The latest news report on enhancements the Conficker (aka Downadup) worm received, including being more resilient against antivirus and analysis tools as well as expanding the list of potential domains it phones home from 250 to 50,000 per day.

If by some chance you still believe that no harm can come to you from operating (or failing to detect) a Peer-to-Peer (P2P) network, then please read one of these posts if you have any kind of sensitive data about other people.

This post confirms a theory stemming from the recent adult webcam spam attack. While Twitter officials said they removed the "spammy" posts, a twitter search revealed that deleted tweets never die. It appears the Twitter search engine ignores deleted posts and happily displays valid & deleted posts for all to see.

To prove the theory, I decided to tweet and quickly delete the following: "This message has been deleted and should NOT show up in Twitter search." If you search for it on Twitter search (and possibly other third-party search tools), it will show up. If you don't feel comfortable clicking the link, copy/paste the text into Twitter search. To verify that the message has been deleted, you can click on "View Tweet" which will let you know that the message no longer exists.

This behavior exposes people's mistakes, and in the case of this recent attack, continues to paint a virtual target on their backs by revealing who fell for the scam in the first place. Twitter users, beware.

[Update 4/11/09: It appears that Twitter is now removing older tweets from the search results. To reactivate the tweet referred to in this blog post, I simply posted it again today, and promptly deleted it... but, as explained above, it still shows up in the search results.]

It's no secret that people have to be mindful of their social networking activities. The information security community has been sounding the alarm for several years, and now the message is finally reaching the mainstream media.

However, what the average user doesn't realize is that their actions speak louder than their status updates. Let me explain. Let's assume we have two social network users, Jane and John. While both are mindful of the information they post about themselves, Jane is more cautious than Joe, the latter being more "click-happy."

Reports of attacks on social networking sites is an almost monthly occurrence. Sometimes the attacks take advantage of vulnerabilities in the design or implementation of the various sites or third party add-ons. Yet, most often, the attacks simply use the flexibility and openness of the social networks and their unsuspecting users as a vector of attack. The latest example, reported today by Sophos' Graham Cluley, consists of Twitter messages touting interesting webcam conversations on a site called "chatwebcamfree.com"

While cautious Jane ignored the tweet, John's curiosity got the best of him: he clicked on the link. The result is that John's Twitter account now sends a tweet touting the same site, which reaches all of John's followers. As of 19:20 (CST), it is still unknown how the attack works, i.e. how it manages to send a tweet using John's account. However, there are several known attacks which could be used to obtain that behavior. The web site displays a web form asking for account credentials; it may be infecting the user's machine and may also be gathering passwords.

Now, any Twitter user who fell for this attack has in effect painted a large target on his back. Locating these users now becomes as simple as searching for the right term. A quick search reveals well over 500 posts containing the name of the target web site. While the oldest post is dated from 26 days ago, 99% of the activity seemed to have occurred today. Each of these users may now become the target of additional attacks.

Remediation strategies should of course help users exercise caution in their surfing habits. However, it may also fall on Twitter to remove these tweets in order to control the infection and help protect those that were lured from additional attacks.

[update1]As of 8:14p CST, Twitter has confirmed that 750 accounts fell prey to the adult webcam spam attack. However, while Twitter claims to have removed the "spammy" status updates, the searches conducted at 6:30p and at 8:30p show otherwise as the screenshot below indicates.

Organizations vary in their cultures. We expect, then, to find different cultural approaches to security management that apply to each organization [...] An important indicator as to the success of the security role is whether or not the protected population are inclined to comply with security controls, or work around them. Also, do they [users] feel like they can and should approach the security personnel when something looks awry.

I want a devil on my nuclear submarine [...] I want an entrepreneur in my consultancy and hospital. On a nuclear submarine the devil will be respected, but the entrepreneur will be less trusted or tolerated. In a consultancy, the response to the personalities will be reversed.

Posted by Chris Cronin in a SANS/GIAC discussion thread about good security (and reprinted with permission).

Good security will almost always make peoples' jobs harder. There is no need to make their jobs harder "just because we can." -- John Mark Allen, posted earlier today on SANS GIAC Advisory board mailing list, in reply to a somewhat heated discussion about security enforcement (reprinted with permission of the author).

I would also like to point the reader toward another related post by Dave Shackleford on "Practical Intelligence" in Infosec, dealing with the need to work with users instead of against them.

When someone faces the prospect of losing a job, they will do anything to ensure their family is fed and supported. Unfortunately, that includes doing things detrimental to their careers like stealing company information. It's our job to have the policies and security controls in place to protect our organizations and save people from themselves. -- Mark Weatherford, CISO for the State of California, and a member of the SANS NewsBites editorial board.

Gary McGraw, Ph.D., and colleagues Brian Chess, Ph.D., & Sammy Migues, have released the Building Security In Maturity Model (BSIMM) which is meant to provide guidance on building more secure software. The 53-page document is aimed at "anyone charged with creating and executing a software security initiative." BSIMM also cautions that any software security project needs to have proper backing and visibility:

Most successful initiatives are run by a senior executive who reports to the Board or the CIO of an organization. These executives lead a group that we call the Software Security Group (SSG), charged with directly executing or facilitating the activities described in BSIMM. BSIMM is written with the SSG and SSG leadership in mind.

This is an important body of work with input from representatives of Adobe, EMC, QualComm, Google, Wells Fargo, and Microsoft. The document is licensed under the Creative Commons Attribution-Share Alike 3.0 License (for license details, go to http://creativecommons.org/licenses/by-sa/3.0/).

In February 2009, the federal government was presented with a new report identifying strategic objectives for improved cyber-security. Produced by the Institute for Information Infrastructure Protection (I3P), the report examines the cyber-security challenges facing the economic, physical, and human infrastructures and called for making cyber-security a national priority.

People must be engaged as a positive force to improve cyber security. Information security systems must be easy to use by non-IT professionals; awareness and education campaigns must be directed at the public and private sectors; and security training should be taught in schools.

Earlier today, I had the chance to read an email that Forrester's Andrew Jaquith had posted. I asked him if he would share some of this early research with the rest of the community and was happy to see that he did.

Mining the information contained in the the DatalossDB, Andrew found that while laptop-related breach reports grab the headlines, they often only cover a fraction of the number of records related to server breaches.

Arbor Networks has blogged about a phishing attack that uses the fact that IE does not use (or believe) the Content-Type tag returned by an HTTP response and instead tries to detect MIME types on its own. In this case, phishers are using that to come up with content that only renders in IE browsers.

It's no secret that 2009 is promising to be a tough year for nearly everyone. With corporate budgets shrinking, companies are looking to reduce costs by cutting the workforce and/or the number of projects planned/funded. Yet, reports indicate that cybercrime and data breaches have reached new highs, and that organized crime is growing rapidly in the shadows of the digital age.

However, this atmosphere of gloom may be just what the doctor ordered. With less money to spend on security staff and technical controls, companies will have to make do with what they have: people and data. 2009 will be the year of going back to basics and corporations should focus on people and data by creating a company-wide risk management committee involving representatives drawn from leadership positions across every line of business. As Tony Hildesheim, vice president of IT for Washington State Employees Credit Union, said, their risk management committee "goes further in providing increased security awareness, and therefore improved security overall, than any tool we have implemented."

For those companies that find themselves holding an unacceptable level of risk, the popular security controls of 2009 are Data Loss Prevention (DLP), Full Disk Encryption (FDE), and Web Application Firewalls (WAFs).

While I've always wanted to write something like this, Aaron Hughes, President and CEO of IAC SecureTech and President of Vidoc Razor, beat me to it. A quick read but definitely worth it.

5. There is no evidence that the data has been misused….4. It was a sophisticated attack….3. Of course it is secure - the (Military/Law Enforcement/Government) uses this, so it has to be….2.We have “Insert favorite technology here” so we know we are all set….1. We are compliant with (HIPAA, GLB, Sarbannes-Oxley, PCI, etc.) so we know we are secure….

This article contains a powerful but very accurate quote by Ken Dunham, director of global response at iSight Partners, on cybercrime and security technologies:

The sophistication and automation of financially motivated cybercrime is very steep today when compared with counter-efforts... Criminals are agile and able to outpace the rate of adoption of counter-technologies in the marketplace.

This nine-page report on the dangers of outsourcing in 2009 is a must read for anyone whose organization is considering outsourcing options. It contains various nuggets of useful information from a ranked list of best (& worst countries) as well as an assessment of various offshore locations (safe vs risky) across ten areas:

On March 1, 2009, NBC's Natalie Morales reported on Nightly News about the dangers that Peer-to-Peer (P2P) software users face. The family they interviewed used a P2P program (still popular with the teenage crowds) which, unbeknownst to them, was leaking tax return information onto the P2P network.

There are two ways that P2P programs can lead to data leakage; one is due to user misconfiguration, the other due to software flaws. The first is somewhat easy to fix: if, after learning about the dangers of P2P programs, you still find a need to use them, be sure to configure the software so that does not share your entire hard drive but only designated files and folders. The second aspect, software flaws, is something the entire software engineering and information security community have been trying to solve for several decades with no end in sight.

However, this story opens up another worrisome aspect related to taxes, that of the small and medium sized CPAs and tax accountants all over the country who are charged by their customers to figure out their taxes. Tax returns are rich with personal information and need to be appropriately secured. Next time you drop off your tax records, ask how your information will be protected. If instead you find yourself doing your own taxes, be sure to safeguard any data files and/or PDF documents you generated by either encrypting these or storing them off of the main computer (e.g. in a safe, preferably encrypted as well).

This article discusses the various avenues available to an Information Security Officer (ISO) who has just discovered that an employee has been visiting "naughty sites and saving certain files locally."

The utility of this article is in the subtleties of each of the options available to the ISO. Every ISO should read it.

Waledac now has another weapon to lure users into installing it: geolocation-based ads. This feature is used to serve what appear to be local ads or coupons which in turns increases the appearance of being a valid service.

As a faculty member, one of my hopes is that I can make a difference in the lives of the students that I get to have in class. A former student, now clearly on his way to a successful career in Information Security, said to me just this week: "I probably wouldn't be in this field [infosec] if not for your classes."

Getting to see this student mingle with various infosec professionals and knowing that I had something to do with it is its own reward.

It seems a military contractor has allowed a file containing sensitive data about Marine One to be shared over a Peer-to-Peer (P2P) network. The file was tracked making its way to an IP address in Iran; it contained highly sensitive blueprints for Marine One, including details about the helicopter and avionics packages.

With the proliferation of "sharing" technologies such as P2P and Sharepoint sites, the need for Data Leak Prevention (DLP) is growing. While DLP solutions are still maturing, entities housing sensitive information should take another look at what is running inside their networks and start looking into what's leaving their networks as well.

Many of these sharing technologies are often used by regular users as opposed to being setup and managed by IT, following a documented process, and with a documented business need. This often leads to misconfigured setttings allowing too much access to information.

Important Links

Dr.InfoSec

Connect with me

About Me

Chris, aka Dr.InfoSec, is passionate about helping organizations take stock of their cyber risks and manage those risks across the intricate landscape of technology, business, and people.Whether performing information security risk assessments, working alongside CIOs & CISOs to set and communicate strategic security priorities, or advising board members on effective governance of cyber risks, Chris enjoys working with business leaders to improve their organization's cyber risk posture.

Disclaimer

The views and opinions expressed here are those of Dr. Veltsos only and in no way represent the views, positions, or opinions of any previous, current, or future employers, clients, or associates.

All content on this blog is provided as general information and is for educational purposes only. It should not be construed as professional advice or guidance. All trademarks and copyrights on this blog belong to their respective owners.